Side-channel data leakage comes from data that mobile application developers don't realize is being cached, logged or stored -- either inside their application or by the operating system of the mobile device. There are several unobtrusive ways in which such data might end up in the wrong hands if the development team is not very careful. Data leakage detection during the testing phase is essential to curb this threat.
One way that information can be accidentally leaked is in the form of picture snapshots. Jack Mannino tells us that it is fairly common for mobile operating systems, particularly iOS, to take snapshots of running applications when a call interrupts. This is Apple's sneaky way of making their applications seem to load instantaneously. First, it displays a screenshot of the last thing the user saw in that application, and by the time the user is ready to interact with the application, the system has loaded the actual app.
It's a great trick for speeding up load times and usually won't cause a problem. However, there are times when such a screenshot could potentially hold sensitive information. For instance, if the user happens to receive a phone call while in the middle of ordering something online with a credit card, the credit card number, expiration date and even security code could all be plainly displayed in that quick snapshot. If it hangs around in a cache somewhere, there is potential that someone other than the user can access it.
Another example comes from mobile application developers moving too quickly. Mobile developers frequently use local mobile device storage resources when they create log files for debugging purposes, according to DeLaGrange. It allows them to access the logs offline and can help improve performance. However, there are two dangers that this habit can lead to. If the developer's mobile device is lost or stolen, log files containing potentially sensitive information -- such as a username and password -- could be available even after the app has been uninstalled.
There is also the possibility that debugging features can make their way into apps that are being distributed. "I have seen mobile applications where debug features are left enabled after moving to production," DeLaGrange said, "which logged each login and transaction, and included account credentials and sensitive information in a log file without any form of encryption."
"As with testing for insecure data storage," explained DeLaGrange, "Mobile app testers should take a forensic approach. Test each platform supported by the application. Check for sensitive information in log files, temporary directories and Web caches."